Misc

Web 2.0 application security troubleshooting, testing tutorial

Table of Contents
Introduction
The process of Web application security testing
Web application security tools
Common Web application vulnerabilities
About the author

Introduction
You've heard about the importance of Web application security. You know security is not a product or a one-time status but rather an essential ingredient that has to be baked-in, literally, to the SDLC.

A large part of my security assessment work involves Web security. Based on what I see, there's an obvious justification for sound Web security practices such as those the OWASP Top Ten Project addresses. Regardless of the caliber of your firewall or the fact that you're using SSL, Web security weaknesses are still pervasive across all types of industries. From manufacturing to banking to higher education the same Web application flaws exist across the board. Figure 1 shows the OWASP Top 10-based Web vulnerabilities I've found in my Web security assessment work in the past year alone.




Figure 1 – Percentage of OWASP Top 10 Web vulnerabilities I discovered in my work

As you can see, Cross-site Scripting (XSS) was the most common finding. I found it in 93% of the sites/applications I tested. Broken Authentication and Session Management and Improper Error Handling had a strong showing as well. Not surprisingly, I didn't find a single instance of Insecure Storage in the same timeframe. However, I was surprised to find some exploitable Denial of Service weaknesses – something that's often taken for granted but can certainly put a stranglehold on your business if you don't catch it in time.

I think it's pretty clear that some work still needs to be done with Web security – especially with regard to XSS and the authentication mechanisms sitting in front of many applications. The "old" adage that security is a business issue that must be supported by management if it's going to be successful is worth repeating. No amount of secure coding, agile development, or QA is enough to have secure Web applications. You have to test for security vulnerabilities using good tools and proven ethical hacking techniques over and over and over again – period. And then, of course, you have fix the issues that matter.

Check out this Web Application Security Guide for all you need to know to get started with Web application security and ensure you're on the path to success.

Back to the top

Web application security testing checklist
Audio Introduction Testing Web applications for security vulnerabilities can be an exciting endeavor, but that doesn't mean that it should be taken lightly. The best way to be successful is to prepare a plan in advance. This Web application security checklist will help you do just that.
Read this tip and learn:
  • The importance of setting expectations
  • How to choose automated tools
  • Where to test for underlying weaknesses
  • Why you must verify scanner findings
  • The value of source code analysis tools




The process of Web application security testing

Common software security risks and oversights
Audio Introduction The foundation for solid software security lies in business operations. But, as important as it is, establishing this foundation isn't easy or appealing. This tip outlines four fundamental software security issues that result from a disconnect existing between business and technical operations. You'll also find a list of questions that will help you begin to close this gap and improve the security of your applications.

10 steps to acing Web app security assessments
Audio Introduction The key to a successful Web application security assessment is diligent upfront planning – certainly not an easy task when time is short and resources are tight. However, taking into consideration these ten issues before you dive into that security assessment will help ensure that the project runs smoothly, is thorough and finishes on schedule.

Hack maliciously to boost your software's security
Audio Introduction Web vulnerability scanning tools have their place in an application security assessment, but they are not the be all and end all. Web application testing should consist of automated methods as well as manual hacking attempts. This tip explains the role tools should play in your assessments and the value of malicious hacking.


How to reduce software security, quality flaws with static source code analysis
Audio Introduction Static source code analysis it too often overlooked in software security risk testing and management, even though it's easy to do. Doing it helps testers evaluate every attack surface in a Web application. Beyond that, this process automates tedious manual analysis and can quickly spotlight security flaws and quality issues that others, like penetration testing, miss. Static source code analysis is simply the act of using a scanning tool to analyze source code, whether it's in Java, C# or another development language. While it is primarily used in Web application development, it can be used in various computing scenarios, including client/server or standalone applications. New tools can even extend source code analysis to dynamic, or hybrid, analysis to see what's happening during application runtime.

Back to the top



Web application security tools

Using the Firefox Web Developer extension to find security flaws
Audio Introduction Application security testers should have a variety of tools at their disposal, including Firefox Web Developer. While its primary purpose is to help troubleshoot Web pages, Web Developer is a formidable tool for manually uncovering security flaws. Learn how you can use this free tool to analyze cookies, manipulate forms, parse JavaScript and more.

Spotting rich Internet application security flaws with WebGoat
Audio Introduction You can't trust Web vulnerability scanners to catch the weaknesses in rich Internet applications. Developers, QA analysts and security managers must learn how to identify vulnerabilities in Web services and AJAX applications themselves. This tip introduces WebGoat, an insecure J2EE Web application that is designed to teach Web application security lessons, such as Web service SQL injection and Web service SAX injection.

Back to the top



Common Web application vulnerabilities

Fixing four Web 2.0 input validation security mistakes
Audio Introduction Failure to validate your Web application's data input can lead to data loss, denial of service and execution of unauthorized code. Learn about four Web security weaknesses that result from input validation mistakes and how to fix them, including system variables in URLs, invalidated data input fields and unfiltered contact forms.

Commonly-overlooked security flaws in rich Internet applications
Audio Introduction The more complex your Web applications, the more complex and dangerous your Web security vulnerabilities become. This tip describes four common security flaws in rich Internet applications like Flash, Web services and AJAX. Learn about vulnerability scanners and application stress testing tools that can help you uncover these weaknesses.

Web security problems: Five ways to stop login weaknesses
Audio Introduction Authentication mechanisms are meant to prevent unauthorized users from accessing network resources; however, if they're not properly implemented, authentication mechanisms can serve as open doors to the corporate network. This tip reviews five Web authentication vulnerabilities that present significant risks. Software developers, QA and security professionals learn how to stop login weaknesses that range from weak passwords to faulty multifactor authentication lockout mechanisms.

Back to the top


Kevin Beaver
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
Back to the top

This was first published in August 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: